Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

WEBINAR:On-Demand

Trend Micro is refocusing its Zero Day Initiative (ZDI) Targeted Incentive Program (TIP) with new targets for researchers to discover and disclose zero-day flaws.

The TIP program is now adding OpenSSH and the ISC BIND DNS server to the effort, awarding researchers $200,000 for successfully reporting vulnerabilities that enable remote code execution. The TIP program already includes $200,000 awards for flaws in the NGINX and Apache HTTP web servers running on Ubuntu Linux, as well as Microsoft IIS and SMB. In total, the TIP effort now has an award pool of $1.2 million available for researchers to claim.

"For TIP, we are looking for bugs in the NGINX, Apache, OpenSSH and ISC BIND code bases, but we will also acquire bugs in Ubuntu, Linux, Red Hat and other open-source products that impact our customers through the normal Zero Day Initiative program," Brian Gorenc, director of vulnerability research with Trend Micro’s ZDI program, told eWEEK.

Further reading

ZDI is in the business of acquiring vulnerabilities from security researchers and then responsibly disclosing the flaws privately to impacted vendors. The TIP effort was first announced in July as an incentivized effort to help solicit more server-side vulnerabilities from researchers. To date, ZDI has not awarded any money as part of TIP, as there have been no completely successful vulnerability submissions from researchers.

"We did purchase some bugs that were submitted to the program, but they weren't full exploit chains, so they didn’t qualify as winning," Gorenc said.

Gorenc explained that, in a sense, the TIP initiative is similar to ZDI's Pwn2Own contest. Pwn2Own is an event where researchers need to demonstrate a full exploit from start to finish at a live event. At the Pwn2Own event in March, ZDI awarded researchers a total of $267,000 for disclosing new vulnerabilities in operating system and browser software.

Much like Pwn2Own, ZDI often doesn't get bugs when a new category is first announced, he said.

"The bar to win a category is pretty high, so it’s not too surprising we haven’t received a winning submission yet," Gorenc said.

Targets

The TIP program initially also included the open-source Joomla, Drupal and WordPress content management systems (CMS) that are now being removed from the effort.

"Part of the program is designed to be time-bound," Gorenc said. "When the time period for those programs ended, we removed them from the program."

ISC BIND is new to TIP and is a widely deployed DNS (Domain Name System) server. DNS provides a critical function in the operation of the internet, matching IP addresses to domain names to enable web browsing. OpenSSH is also new to the program and is an open-source implementation of the SSH (Secure SHell) protocol that enables remote administration of servers.

Pwn2Own Tokyo

The new TIP categories come a week ahead of ZDI's mobile Pwn2Own event in Tokyo, which runs Nov. 13-14. At the 2017 Mobile Pwn2Own, 32 different zero-day vulnerabilities were disclosed, with ZDI awarding researchers $515,000 in awards.

The 2018 Mobile Pwn2Own event will introduce new mobile targets for researchers to go after.

"We’ve added a category for internet of things that includes cameras, smart speakers and the Apple watch," Gorenc said. "Last year, we saw a baseband exploit. It wouldn’t shock us to see additional research in that area."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.